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DETAILED ACTION 

1 . Claims 1,3-17 and 19-32 are pending in this application. 

Allowable Subject Matter 

2. Claims 3 and 19 are objected to as being dependent upon a rejected base claim, but would 
be allowable if rewritten in independent form including all of the limitations of the base claim 
and any intervening claims. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S. C 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

4. Claims 1, 4-17 and 20-32 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Schnurer et al (hereafter Schnurer) (U.S. Patent 5,842,002), in view of Nachenberg (U.S. Patent 
6,357,008). 



5. 



Schnurer and Nachenberg were cited in the last office action. 
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6. As to claim 1, Schnurer teaches the invention substantially as claimed including a 
computer-implemented method for executing an untrusted program [abstract, lines 1-2], 
comprising: 

establishing a limited environment within a general environment [col. 6, lines 56-58; 
Figs. 3 and 4], wherein said limited environment comprises one or more mock resources 
[col. 4, lines 16-20, 22-26 and 47-49; col. 7, lines 3-8], wherein said general environment 
comprises one or more real resources [col. 4, lines 24-25; col. 7, lines 15-18], wherein 
programs executing within said limited environment cannot access the one or more real 
resources in said general environment [abstract; col. 5, lines 5-10; col. 7, lines 15-18]; 

executing at least a portion of an untrusted program within said limited environment [col. 
7, lines 5-12]; and examining said limited environment after execution of at least said 
portion of said untrusted program to check for undesirable behavior exhibited by said 
untrusted program [col. 4, lines 32-36; col. 7, lines 12-15; 48, 50, 52, Fig. 1]. 

7. Schnurer does not specifically teach wherein said limited environment and said general 
environment are both provided by the same operating system. However, Schnurer disclosed 
trapping device within a network environment [col. 6, lines 56-58; Fig. 3 and 4]. In addition, 
Nachenberg teaches an antivirus program that includes a decryption, exploration and evaluation 
phases/modules causing a CPU emulator with virtual memory to simulate untrusted 
programs/instructions [Nachenberg, col. 1, lines 16-20; col. 5, lines 27-40; col.6, lines 52-58; col. 
7, line 31 -col. 8, line 47]. 
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8. It would have been obvious to one of an ordinary skill in the art at the time the invention 
was made, to have combined the teaching of Schnurer with the teaching of Nachenberg by 
implementing the limited environment in the same machine as the general environment if the 
limited environment is limited to protect a specific machine and to have an operating system 
within the machine providing both environments for the same reason (i.e. an antivirus program 
running under an operating system protecting other programs/hardware/real resources running 
under the same operating system). 

9. As to claim 4, Schnurer as modified teaches the invention substantially as claimed 
including wherein examining said limited environment comprises: determining whether a mock 
resource has been deleted [col. 4, lines 37-39; col. 7, lines 12-15; Nachenberg, col. 9, line 44]. 
Schnurer as modified does not specifically teach a particular mock resource. However, Schnurer 
disclosed if anything within the environment changes, is a sign of a virus [col. 7, lines 48-52], 
and Nachenberg disclosed signature scanning of known viruses [Nachenberg, col. 1, lines 22- 
45]. It would have been obvious to one of an ordinary skill in the art at the time the invention 
was made, to have recognized that a deletion of a particular file such as a system file is an 
obvious sign of a virus (i.e. deletion of a particular system file that would cause instability to the 
operating system). 
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10. As to claims 5-7, these claims are rejected for the same reason as claim 4 above. In 
addition, Schnurer as modified teaches mock resource has been renamed or moved [Nachenberg, 
col 9, lines 47-49], or altered [col. 7, line 48 to col. 8, line 26; Nachenberg, col. 9, lines 54-55]. 



11. As to claim 8, Schnurer as modified teaches the invention substantially as claimed 
including wherein said mock resource has a parameter associated therewith which changes when 
said mock resource is altered, and wherein determining whether said mock resource has been 
altered, comprises: 

determining whether said parameter has changed [col. 7, line. 48 to col. 8, line 26]. 

12. As to claim 9, Schnurer as modified does not specifically teach the step of determining 
whether said mock resource has been last updated. However, Schnurer disclosed that his system 
could detect any malicious act by the virus, including the activities of changing the FAT table 
and changing of the error checking algorithm [col. 7, lines 59-60; col. 8, lines 25-26; col. 4, lines 
37-39]. It would have been obvious to one of an ordinary skill in the art at the time the invention 
was made, to have recognized that common viral activities or critical behaviors exhibited by 
viruses would have included the updating of system resources as being considered and 
implemented in Schnurer et al's method of virus detection. 
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13. As to claim 10, this claim is rejected for the same reason as claim 4 above. In addition, 
Schnurer as modified teaches the invention substantially as claimed including wherein 
examining said mock environment comprises: 

determining whether said mock resource has been accessed [col. 7, line 48 to col. 8, line 26]. 

14. As to claim 1 1, Schnurer as modified does not specifically teach wherein said mock 
resource contains one or more sets of content, and searching a particular portion of memory for 
at least one of said one or more sets of content. It is well known in the art that when a file gets 
accessed or altered, traces of the contents being accessed is located in the memory, in addition, 
Schnurer disclosed the determination of potential viral activities by examining "if anything 
within the environment changes. . [col. 7, line 48 to col. 8, line 26]. 

15. As to claim 12, Schnurer as modified teaches the invention.substantially as claimed 
including providing information indicating behavior exhibited by said untrusted program [col. 7, 
line 25 to col. 8, line 26]. 

16. As to claims 13 and 14, Schnurer as modified teaches the invention substantially as 
claimed including wherein said information comprises indications of undesirable behavior 
exhibited by said untrusted program [col. 7, lines 48-52], and in response to a determination that 
said untrusted program has exhibited undesirable behavior, taking corrective action [col. 8, lines 
27-35; 52, Fig. 1]. 
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17. As to claims 15 and 16, Schnurer as modified teaches the invention substantially as 
claimed including wherein taking corrective action comprises: deleting said untrusted program 
and warning to a user [col. 8, lines 27-35; 52, Fig. 1]. 

18. As to claims 17 and 20-32, these are system claims that correspond to the method claims 
1 and 4-16. Therefore, they are rejected for the same reason as claims 1 and 4-16 above. 

Response to Arguments 

19. Applicant's arguments filed 10/24/05 have been fully considered but they are not 
persuasive. 

20. In the remarks, Applicant argued in substance that: 

a. Nachenberg fails to teach or suggest that the same operating system provides both 
a limited environment and a general environment. 

2 1 . Examiner respectfully traversed Applicant's remarks: 

As to point (a), Nachenberg teaches an antivirus program that emulates the target 
program in a virtual environment (i.e. limited environment) that is independent of the memory of 
the host computer system [Nachenberg, col. 1, lines 16-20; col. 3, lines 62-65; col.6, lines 52-58; 
col. 7, line 31-col. 8, line 47; Fig. 1], and given the broadest reasonable interpretation of an 
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"operating system" defined by The Microsoft Computer Dictionary Fifth Edition as "the 
software that controls the allocation and usage of hardware resources such as memory, central 
processing unit (CPU) time, disk space, and peripheral devices. The operating system is the 
foundation software on which applications depend," the Examiner believed the above limitations 
have been met. 

22. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period will expire on 
the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1. 136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will the statutory 
period for reply expire later than SIX MONTHS from the mailing date of this final action. 

23. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Qing-Yuan Wu whose telephone number is (571) 272-3776. The 
examiner can normally be reached on 8:30am- 5 :00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, William Thomson can be reached on (571) 272-3718. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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